Recently I had a customer that kept getting their account locked out, due to someone try to brute force their way into the company by using the OWA portal that is hosted by their on-premise Exchange Server. Initially trying to find this information was quite tricky and I found a really useful set of PowerShell commands that helped me find the source of the account lockouts (in this case the Exchange Server).

If you want to view the original source of the script, it can be found here: http://www.tomsitpro.com/articles/powershell-active-directory-lockouts,2-848.html

PowerShell

1

Get-AdUserjoebloggs-Propertiesbadpwdcount,lockedout

This will show a nice table (sorry had to blank out the real user details!):

If you now run the following script on your DC:

PowerShell

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

## Define the username that's locked out

$Username='joebloggs'

## Find the domain controller PDCe role

$Pdce=(Get-AdDomain).PDCEmulator

## Build the parameters to pass to Get-WinEvent

$GweParams=@{

'Computername'=$Pdce

'LogName'='Security'

'FilterXPath'="*[System[EventID=4740] and EventData[Data[@Name='TargetUserName']='$Username']]"

}

## Query the security event log

$Events=Get-WinEvent@GweParams

This script will then search the security Event Log for any account lockouts for joebloggs. If you then type $Events into the PowerShell window, you will get all the account lockout events associated with that user:

What we can now do is create a foreach loop, to get the client system name/IP from each event log – that will then help you to trace where the account is getting locked out:

PowerShell

1

$Events|foreach{$_.Properties[1].Value}

This will then show a list of all the system names or IP’s that caused the account lockout. I hope that helps out someone else that may be finding it difficult as to what the source of the account lockout is.